Skip to content

USA – Cyber Incident Reporting Act for critical infrastructure is enacted

Author
Finlayson-Brown Jane
Jane Finlayson-Brown

Partner

London

View profile →

Montano Young Natalie
Natalie Montano Young

Associate

New York

View profile →

21 March 2022

On 15 March 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act 2022 (Cyber Incident Reporting Act). The House of Representatives passed the bill on 9 March 2022.

The Cyber Incident Reporting Act will require critical infrastructure entities in the US to report substantial cybersecurity incidents to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours after the entity reasonably believes that the incident occurred, and inform about all ransomware payments within 24 hours after making the payment. When significant new or different information regarding an incident becomes available, an entity must provide update reports to CISA of this information until the incident is fully resolved and mitigated.

CISA will issue further regulations in the next 24 months to specify the thresholds for notifiable cybersecurity incidents, the scope of the notification and which information about the mitigation and resolution of the incident should be provided. CISA will need to be notified of all ransom payments, regardless of whether the incident was required to be reported. Entities will also be required to preserve data relating to the incident or ransom payment according to the procedures defined by CISA. The Cyber Incident Reporting Act will not become effective until the final rule is proposed and published by CISA.

The Cyber Incident Notification Act will apply to entities in critical infrastructure sectors, including, for instance, communications, financial services, energy, healthcare, information technology and critical manufacturing. CISA will have powers to compel compliance with the reporting obligations and may refer cases to the Attorney General for civil enforcement actions.

Read the Cyber Incident Notification Act which is part of the Consolidated Appropriations Act 2022 (H.R. 2471).

This article was co-authored by Jose Basabe.

Related blog topics

Related expertise